We resolve _dmarc.<domain> in public DNS, parse the TXT record, and surface every tag - the policy (p=), subdomain policy (sp=), percentage rollout (pct=), alignment modes (adkim, aspf), and the reporting URIs (rua, ruf).
We also resolve the SPF record on the apex and surface the include count - SPF caps at 10 DNS lookups per RFC 7208, and many real-world records hit 9 silently and break the next time anything changes. Catching it before that point is the value.
Grade is composite: policy strength (reject > quarantine > none), pct=100 vs partial rollout, presence of rua reporting (you can't enforce what you don't observe), subdomain-policy posture, and SPF lookup count.
p=none means observe-only. You're collecting DMARC reports but receivers won't act on auth failures. Fine as a starting point but the destination is p=reject. Use the DMARC walk-through wizard for a personalized migration plan.
sp= defaults to your p if absent. Explicitly setting sp=reject on the apex is what stops attackers spoofing arbitrary subdomains you've never even provisioned.
SPF lookup count at 9 or 10 means you're one include away from a hard fail. Flatten with the SPF flattener.
What's a 'good' DMARC policy?
p=reject with pct=100, sp=reject, and an active rua reporting endpoint. That posture rejects unauthenticated mail, applies the same rule to subdomains you have not explicitly carved out, and gives you ongoing visibility into deliverability via the daily aggregate reports.
Is DMARC required by Gmail / Yahoo / Microsoft?
For high-volume senders (~5k+/day to Gmail), yes - Gmail and Yahoo enforced this in February 2024. Below that threshold DMARC is not strictly required but is heavily weighted in deliverability scoring across all major receivers.
Should I jump from p=none to p=reject in one go?
Almost never - quarantine acts as a soak phase. Common cadence: 2 weeks at p=none observing, 2 weeks at p=quarantine pct=10, then ramp the percentage to 50, 100, then cut over to p=reject once pass rate is comfortable (target >99%). The wizard walks you through this calibrated to your detected providers.
Why does my SPF lookup count matter?
RFC 7208 caps SPF at 10 DNS lookups during evaluation. Exceed it and the receiver returns a permanent error - which DMARC alignment treats as a fail. SaaS-heavy email stacks pile up lookups fast (Mailgun + SendGrid + Google + Postmark = 4 lookups already, before any nested includes).
What is the difference between rua and ruf?
rua = aggregate reports (daily XML summary of pass/fail counts per source IP). ruf = forensic reports (sample headers from each failure). rua is the workhorse - point it somewhere that parses the reports. ruf is rarely supported by major receivers anymore due to privacy.
Does Wiredepth store my DMARC reports?
The free DMARC PDF tool at /dmarc-pdf renders reports to PDF without storing them. Wiredepth Pro can ingest your rua endpoint continuously and surface trends + regression alerts.